/ɔːˌθɒr.ɪˌzeɪ.ʃən/
noun — “the system’s way of saying, ‘okay, you’re you… now, what are you allowed to touch?’”
Authorization is the process of determining what actions an authenticated user, device, or system can perform on a resource. It comes after Authentication, which verifies identity, and answers questions like: can this user read a file, execute a program, modify a database entry, or access a restricted API? Authorization ensures that verified entities only interact with resources in ways they are permitted, enforcing security and operational policies.
Authorization works hand-in-hand with User Accounts, File Permissions, and Access Control Lists. While authentication confirms “who you are,” authorization maps that identity to a set of privileges. Systems may implement authorization using role-based access control (RBAC), attribute-based access control (ABAC), or policy-based models, allowing administrators to scale permissions efficiently and adapt to complex organizational structures.
In practical usage, authorization applies across operating systems, network services, cloud platforms, and web applications. For example, a Unix system will authenticate a user with a password, then use chmod settings and ACLs to authorize what files or directories the user may access. In web services, OAuth scopes, JWT claims, and API keys define which endpoints a user or application is authorized to call.
Real-world scenarios include granting read-only access to interns while allowing developers full access to a code repository, or limiting administrative privileges in a corporate network. Authorization ensures least-privilege enforcement, reduces risk of accidental or malicious operations, and supports compliance audits. It often integrates with identity management systems to automate role assignments and monitor policy adherence.
Some illustrative examples:
// Role-based access control (RBAC) pseudo-code
if user.role == "Admin":
allow("delete_user")
else if user.role == "Editor":
allow("edit_content")
else:
allow("view_only")
// Web API token scopes
token = "abc123xyz"
if token.hasScope("read:reports"):
fetchReports()
else:
denyAccess()
// Unix permissions check
if checkPermissions(user, file) == "read/write":
openFile(file)
else:
denyAccess()
Authorization is like a digital bouncer with a clipboard: you’ve proven who you are, but only the ones on the VIP list get backstage access.
See Authentication, User Accounts, Access Control Lists, Roles and Groups, Identity Management.